Information security incident reporting standard

Standard

Final | September 2018 | v3.0.0 | OFFICIAL - Public | QGCIO

Introduction

Purpose

A Queensland Government Enterprise Architecture (QGEA) standard provides information for Queensland Government departments on the recommended practices for a given topic area. They are intended to help departments understand the appropriate approach to addressing a particular issue or doing a particular task. Unlike a guideline, which is better practice advice, a standard is enforced by policy.

The Information security incident reporting standard was developed to provide departments advice in meeting their information security incident reporting requirements under the Information security policy (IS18:2018). This standard should be read in conjunction with the Information security incident management guideline.

Audience

This document is primarily intended for departmental staff and operational areas involved in information security incident management, response and reporting.

Definitions

Information security event

A security ‘event’ is ‘an identified occurrence of a system, service or network state indicating a possible breach of information security, policy or failure of controls, or a previously unknown situation that may be security relevant’ [ISO/IEC 27000:2018].

Information security incident

An information security ‘incident’ is defined as ‘a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security’ [ISO/IEC 27000:2018].

Background

This standard has been developed to centrally coordinate reporting and monitoring processes for information security incidents within Queensland government. The Queensland Government Chief Information Office (QGCIO) houses the Queensland Government Information Security Virtual Response Team (QGISVRT). The QGISVRT are the central point of contact for information security incident reporting, and are responsible for incident coordination from a whole-of-government perspective.

Incident reporting provides significant benefits for both Queensland Government departments and the QGISVRT:

reporting obligations ensure information is provided in a timely manner through appropriate channels to the intended audience

QGISVRT can advise departments how to contain/limit the impact from an incident, or direct them to other sources for incident management or resolution

quarterly reporting builds a comprehensive security risk profile which can be used for trend analysis

continuous improvement of incident response processes and appropriate control selection through the application of lessons learned

allows consistent response plans to be developed by the QGISVRT.

Mandatory reporting

Reporting obligations

The Business Impact Level (BIL) reporting table determines a department’s reporting obligations in relation to an information security incident.

BIL’s are defined in the Queensland Government Information Security Classification Framework (QGISCF) and are determined by the business owner of the system.

If a system does not have a BIL assigned, the business owner of the system must be consulted to determine the appropriate level.

Systems which have not been assessed under the Queensland Government Information Security Classification Framework v4.0.0 (QGISCF) should use ‘Appendix C - Mapping between old and new confidentiality classifications’ to determine immediate reporting requirements.

It should be noted this is based on ‘confidentiality’ only, and a full assessment of the system should be completed once the incident has concluded to determine the systems integrity and availability BILs.

Departments must report:

immediately for security incidents affecting a system with a Medium BIL or above

by default, share de-identified threat intelligence (where possible) gathered during an incident, such as indicators of compromise, unless requested not to by a department

analyse and interpret incident information to identify trends or patterns, provide advice to agencies, determine the impact to whole-of-government and publish de-identified materials relating to the analysis of incidents.

QGCIO will not:

Provide information to entities outside of Queensland Government which may identify a department / agency without their express permission.

What type of incident has occurred based on the definitions in ‘Appendix B – Incident type’

Indicators of compromise

These are the artefacts of the event or incident which can be used to determine if a compromise may have occurred, for example:

URI’s

IP addresses

Email headers

Email addresses

Email subjects

Email body

Web Domains

File hashes

File types / files

Other indicators of relevance

Appendix B

Incident type

For the purposes of information security event and incident reporting, incidents must be assigned an incident classification from the table below

Term

Description

Theft/loss of assets

The theft or loss of any information or technology asset/device (including portable and fixed media) that might have been or has been used to either process or store Queensland Government information.

Account Compromise

The compromise of Queensland Government account credentials providing unauthorised access to a malicious 3rd party. This often involves leveraging the targets position of trust, or escalating privileges to move laterally.

Types of account compromises include:

Business email compromise

Local credentials (LAN)

Administrator credentials

SaaS Credentials

Etc.

Phishing

Emails or domains which masquerade as a legitimate entity with the goal of compromising a user’s information such as:

Access credentials

Personal information

Banking information

Unauthorised access to information/systems

Unauthorised access from internal and external sources to Queensland Government information and systems.

Use this type if the incident does not fit into account compromise or intrusions against networks.

Unauthorised release of or disclosure of information

Unauthorised release or disclosure of Queensland Government information.

Malware infections

Software programs designed to cause damage to Queensland Government systems.

Ransomware infections

Software programs designed to extort a payment, usually financial, by denying authorised user access to Queensland Government information systems.

Intrusions against networks

Intrusions targeting Queensland Government internal infrastructure. This includes but is not limited to:

Remote code execution

Denial-of-service (DoS)/distributed denial-of-service (DDoS)

Website defacements

Brute force attempts.

Intrusions that cannot be attributed, after analysis, to what is considered consistent with Internet noise. For example intrusion attempts that consistently target internal network infrastructure, users or services provided for external use such as web applications.

Abuse of privileges

Unauthorised changes to privileged user settings on stand-alone or networked equipment including network profiles, local user or device configuration files that have not been approved through the Department’s change management process.

Any unauthorised changes to an organisation’s file system, including media, through insertion, modification or deletion. For example, changes to the standard operating environments (SOEs), addition of executables or the modification of an executable’s configuration.

Any unauthorised installation of additional processing, communications or storage equipment into the IT network. This includes but is not limited to:

routers, switches, modems, firewalls

portable games units

USB devices

smart phones

wireless access points.

Violation of information security policy

Any violation of information security policy or the information security related aspects of the code of conduct.

Suspicious system behaviour or failure (hardware/software) or communications)

Includes a malfunction within the electronic circuits, electromechanical components of a computer/communications system, or malfunction/inability of a program to continue processing due to erroneous logic.

Password confidentiality

Sharing/stealing/loss of passwords or other authentication token.

Sabotage/physical damage

Any damage or destruction of physical information assets or electronic devices.

Other events

Natural events and other events which result in damage to information and systems. This includes but is not limited to: